## OWASP Enterprise Security API (ESAPI) Properties file -- TEST Version# # This file is part of the Open Web Application Security Project (OWASP)# Enterprise Security API (ESAPI) project. For details, please see# http://www.owasp.org/index.php/ESAPI.## Copyright (c) 2008,2009 - The OWASP Foundation## DISCUSS: This may cause a major backwards compatibility issue, etc. but# from a name space perspective, we probably should have prefaced# all the property names with ESAPI or at least OWASP. Otherwise# there could be problems is someone loads this properties file into# the System properties. We could also put this file into the# esapi.jar file (perhaps as a ResourceBundle) and then allow an external# ESAPI properties be defined that would overwrite these defaults.# That keeps the application's properties relatively simple as usually# they will only want to override a few properties. If looks like we# already support multiple override levels of this in the# DefaultSecurityConfiguration class, but I'm suggesting placing the# defaults in the esapi.jar itself. That way, if the jar is signed,# we could detect if those properties had been tampered with. (The# code to check the jar signatures is pretty simple... maybe 70-90 LOC,# but off course there is an execution penalty (similar to the way# that the separate sunjce.jar used to be when a class from it was# first loaded). Thoughts?################################################################################# WARNING: Operating system protection should be used to lock down the .esapi# resources directory and all the files inside and all the directories all the# way up to the root directory of the file system. Note that if you are using# file-based implementations, that some files may need to be read-write as they# get updated dynamically.## Before using, be sure to update the MasterKey and MasterSalt as described below.# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be# able to decrypt your data with ESAPI 2.0.## YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.##===========================================================================# ESAPI Configuration## If true, then print all the ESAPI properties set here when they are loaded.# If false, they are not printed. Useful to reduce output when running JUnit tests.# If you need to troubleshoot a properties related problem, turning this on may help,# but we leave it off for running JUnit tests. (It will be 'true' in the one delivered# as part of production ESAPI, mostly for backward compatibility.)

ESAPI.printProperties=false

# ESAPI is designed to be easily extensible. You can use the reference implementation# or implement your own providers to take advantage of your enterprise's security# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:## String ciphertext =# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0# CipherText cipherText =# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred## Below you can specify the classname for the provider that you wish to use in your# application. The only requirement is that it implement the appropriate ESAPI interface.# This allows you to switch security implementations in the future without rewriting the# entire application.#

#===========================================================================# ESAPI Encoder## ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.# Failure to canonicalize input is a very common mistake when implementing validation schemes.# Canonicalization is automatic when using the ESAPI Validator, but you can also use the# following code to canonicalize data.## ESAPI.Encoder().canonicalize( "%22hello world&#x22;" );# # Multiple encoding is when a single encoding format is applied multiple times. Allowing# multiple encoding is strongly discouraged.Encoder.AllowMultipleEncoding=false

# Mixed encoding is when multiple different encoding formats are applied, or when# multiple formats are nested. Allowing multiple encoding is strongly discouraged.Encoder.AllowMixedEncoding=false

# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec

#===========================================================================# ESAPI Encryption## The ESAPI Encryptor provides basic cryptographic functions with a simplified API.# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor# There is not currently any support for key rotation, so be careful when changing your key and salt as it# will invalidate all signed, encrypted, and hashed data.## WARNING: Not all combinations of algorithms and key lengths are supported.# If you choose to use a key length greater than 128, you MUST download the# unlimited strength policy files and install in the lib directory of your JRE/JDK.# See http://java.sun.com/javase/downloads/index.jsp for more information.## Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever# possible, these methods should be avoided as they use ECB cipher mode, which in almost# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you# should only use this compatibility setting if you have persistent data encrypted with# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL# you have decrypted all of your old encrypted data and then re-encrypted it with# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode# with the new 2.0 methods, make sure that you use the same cipher algorithm for both# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods# where you can specify a SecretKey. (Note that if you are using the 256-bit AES,# that requires downloading the special jurisdiction policy files mentioned above.)## ***** IMPORTANT: These are for JUnit testing. Test files may have been# encrypted using these values so do not change these or# those tests will fail. The version under# src/main/resources/.esapi/ESAPI.properties# will be delivered with Encryptor.MasterKey and# Encryptor.MasterSalt set to the empty string.## FINAL NOTE:# If Maven changes these when run, that needs to be fixed.# 256-bit key... requires unlimited strength jurisdiction policy files### Encryptor.MasterKey=pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14=# 128-bit keyEncryptor.MasterKey=a6H9is3hEVGKB4Jut+lOVA==Encryptor.MasterSalt=SbftnvmEWD5ZHHP+pX3fqugNysc=# Encryptor.MasterSalt=

# Provides the default JCE provider that ESAPI will "prefer" for its symmetric# encryption and hashing. (That is it will look to this provider first, but it# will defer to other providers if the requested algorithm is not implemented# by this provider.) If left unset, ESAPI will just use your Java VM's current# preferred JCE provider, which is generally set in the file# "$JAVA_HOME/jre/lib/security/java.security".## The main intent of this is to allow ESAPI symmetric encryption to be# used with a FIPS 140-2 compliant crypto-module. For details, see the section# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in# the ESAPI 2.0 Symmetric Encryption User Guide, at:# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html# However, this property also allows you to easily use an alternate JCE provider# such as "Bouncy Castle" without having to make changes to "java.security".# See Javadoc for SecurityProviderLoader for further details. If you wish to use# a provider that is not known to SecurityProviderLoader, you may specify the# fully-qualified class name of the JCE provider class that implements# java.security.Provider. If the name contains a '.', this is interpreted as# a fully-qualified class name that implements java.security.Provider.## NOTE: Setting this property has the side-effect of changing it in your application# as well, so if you are using JCE in your application directly rather than# through ESAPI (you wouldn't do that, would you? ;-), it will change the# preferred JCE provider there as well.## Default: Keeps the JCE provider set to whatever JVM sets it to.Encryptor.PreferredJCEProvider=

# AES is the most widely used and strongest encryption algorithm. This# should agree with your Encryptor.CipherTransformation property.# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is# very weak. It is essentially a password-based encryption key, hashed# with MD5 around 1K times and then encrypted with the weak DES algorithm# (56-bits) using ECB mode and an unspecified padding (it is# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses# "AES/CBC/PKCSPadding". If you want to change these, change them here.# Warning: This property does not control the default reference implementation for# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped# in the future.# @deprecatedEncryptor.EncryptionAlgorithm=AES# For ESAPI Java 2.0 - New encrypt / decrypt methods use this.Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

# Applies to ESAPI 2.0 and later only!# Comma-separated list of cipher modes that provide *BOTH*# confidentiality *AND* message authenticity. (NIST refers to such cipher# modes as "combined modes" so that's what we shall call them.) If any of these# cipher modes are used then no MAC is calculated and stored# in the CipherText upon encryption. Likewise, if one of these# cipher modes is used with decryption, no attempt will be made# to validate the MAC contained in the CipherText object regardless# of whether it contains one or not. Since the expectation is that# these cipher modes support support message authenticity already,# injecting a MAC in the CipherText object would be at best redundant.## Note that as of JDK 1.5, the SunJCE provider does not support *any*# of these cipher modes. Of these listed, only GCM and CCM are currently# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other# padding modes.Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC

# Applies to ESAPI 2.0 and later only!# Additional cipher modes allowed for ESAPI 2.0 encryption. These# cipher modes are in _addition_ to those specified by the property# 'Encryptor.cipher_modes.combined_modes'.# Note: We will add support for streaming modes like CFB & OFB once# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'# (probably in ESAPI 2.1).## IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB# here as this is an extremely weak mode. However, we *must*# allow it here so we can test ECB mode. That is important# since the logic is somewhat different (i.e., ECB mode does# not use an IV).# DISCUSS: Better name?# NOTE: ECB added only for testing purposes. Don't try this at home!Encryptor.cipher_modes.additional_allowed=CBC,ECB

# 128-bit is almost always sufficient and appears to be more resistant to# related key attacks than is 256-bit AES. Use '_' to use default key size# for cipher algorithms (where it makes sense because the algorithm supports# a variable key size). Key length must agree to what's provided as the# cipher transformation, otherwise this will be ignored after logging a# warning.## NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!Encryptor.EncryptionKeyLength=128

# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).# (All cipher modes except ECB require an IV.) There are two choices: we can either# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While# the IV does not need to be hidden from adversaries, it is important that the# adversary not be allowed to choose it. Also, random IVs are generally much more# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes# such as CFB and OFB use a different IV for each encryption with a given key so# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and# uncomment the Encryptor.fixedIV.## Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1Encryptor.ChooseIVMethod=random# If you choose to use a fixed IV, then you must place a fixed IV here that# is known to all others who are sharing your secret key. The format should# be a hex string that is the same length as the cipher block size for the# cipher algorithm that you are using. The following is an example for AES# from an AES test vector for AES-128/CBC as described in:# NIST Special Publication 800-38A (2001 Edition)# "Recommendation for Block Cipher Modes of Operation".# (Note that the block size for AES is 16 bytes == 128 bits.)#Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f

# Whether or not CipherText should use a message authentication code (MAC) with it.# This prevents an adversary from altering the IV as well as allowing a more# fool-proof way of determining the decryption failed because of an incorrect# key being supplied. This refers to the "separate" MAC calculated and stored# in CipherText, not part of any MAC that is calculated as a result of a# "combined mode" cipher mode.## If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also# set this property to false.Encryptor.CipherText.useMAC=true

# Whether or not the PlainText object may be overwritten and then marked# eligible for garbage collection. If not set, this is still treated as 'true'.Encryptor.PlainText.overwrite=true

# Do not use DES except in a legacy situations. 56-bit is way too small key size.#Encryptor.EncryptionKeyLength=56#Encryptor.EncryptionAlgorithm=DES

# TripleDES is considered strong enough for most purposes.# Note: There is also a 112-bit version of DESede. Using the 168-bit version# requires downloading the special jurisdiction policy from Sun.#Encryptor.EncryptionKeyLength=168#Encryptor.EncryptionAlgorithm=DESede

Encryptor.HashAlgorithm=SHA-512Encryptor.HashIterations=1024Encryptor.DigitalSignatureAlgorithm=SHA1withDSAEncryptor.DigitalSignatureKeyLength=1024Encryptor.RandomAlgorithm=SHA1PRNGEncryptor.CharacterEncoding=UTF-8# Currently supported choices for JDK 1.5 and 1.6 are:# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and# HmacSHA512 (512 bits).# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though# these JDKs support it.Encryptor.KDF.PRF=HmacSHA256

#===========================================================================# ESAPI HttpUtilties## The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods # protect against malicious data from attackers, such as unprintable characters, escaped characters,# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,# headers, and CSRF tokens.## Default file upload location (remember to escape backslashes with \\)HttpUtilities.UploadDir=C:\\ESAPI\\testUpload# let this default to java.io.tmpdir for testing#HttpUtilities.UploadTempDir=C:\\temp# Force flags on cookies, if you use HttpUtilities to set cookiesHttpUtilities.ForceHttpOnlySession=falseHttpUtilities.ForceSecureSession=falseHttpUtilities.ForceHttpOnlyCookies=trueHttpUtilities.ForceSecureCookies=true# Maximum size of HTTP headersHttpUtilities.MaxHeaderSize=4096# File upload configurationHttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dllHttpUtilities.MaxUploadFileBytes=500000000# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,# container, and any other technologies you may be using. Failure to do this may expose you# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.HttpUtilities.ResponseContentType=text/html; charset=UTF-8# This is the name of the cookie used to represent the HTTP session# Typically this will be the default "JSESSIONID" HttpUtilities.HttpSessionIdName=JSESSIONID

#===========================================================================# ESAPI Executor# CHECKME - Not sure what this is used for, but surely it should be made OS independent.Executor.WorkingDirectory=C:\\Windows\\TempExecutor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe

#===========================================================================# ESAPI Logging# Set the application name if these logs are combined with other applicationsLogger.ApplicationName=ExampleApplication# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to trueLogger.LogEncodingRequired=false# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.Logger.LogApplicationName=true# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.Logger.LogServerIP=true# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you# want to place it in a specific directory.Logger.LogFileName=ESAPI_logging_file# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)Logger.MaxLogFileSize=10000000

#===========================================================================# ESAPI Intrusion Detection## Each event has a base to which .count, .interval, and .action are added# The IntrusionException will fire if we receive "count" events within "interval" seconds# The IntrusionDetector is configurable to take the following actions: log, logout, and disable# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable## Custom Events# Names must start with "event." as the base# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here# You can also disable intrusion detection completely by changing# the following parameter to true#IntrusionDetector.Disable=false#IntrusionDetector.event.test.count=2IntrusionDetector.event.test.interval=10IntrusionDetector.event.test.actions=disable,log

# Exception Events# All EnterpriseSecurityExceptions are registered automatically# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException# Use the fully qualified classname of the exception as the base

# any intrusion is an attackIntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

# for test purposes# CHECKME: Shouldn't there be something in the property name itself that designates# that these are for testing???IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

#===========================================================================# ESAPI Validation## The ESAPI Validator works on regular expressions with defined names. You can define names# either here, or you may define application specific patterns in a separate file defined below.# This allows enterprises to specify both organizational standards as well as application specific# validation rules.#Validator.ConfigurationFile=validation.properties

# Validators used by ESAPIValidator.AccountName=^[a-zA-Z0-9]{3,20}$Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$Validator.RoleName=^[a-z]{1,20}$Validator.Redirect=^\\/test.*$

# Validation of dates. Controls whether or not 'lenient' dates are accepted.# See DataFormat.setLenient(boolean flag) for further details.Validator.AcceptLenientDates=false

validation.properties

# The ESAPI validator does many security checks on input, such as canonicalization# and whitelist validation. Note that all of these validation rules are applied *after*# canonicalization. Double-encoded characters (even with different encodings involved,# are never allowed.## To use:## First set up a pattern below. You can choose any name you want, prefixed by the word# "Validation." For example:# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$# # Then you can validate in your code against the pattern like this:# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);# Where maxLength and allowNull are set for you needs, respectively.## But note, when you use boolean variants of validation functions, you lose critical # canonicalization. It is preferable to use the "get" methods (which throw exceptions) and # and use the returned user input which is in canonical form. Consider the following:# # try {# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));#Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$